svcadm(1M)을 검색하려면 섹션에서 1M 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
nfssec(7)
Standards, Environments, Macros, Character Sets, and miscellany
nfssec(7)
NAME
nfssec - overview of NFS security modes
DESCRIPTION
The mount_nfs(8) and share_nfs(8) commands each provide a way to spec‐
ify the security mode to be used on an NFS file system through the
sec=mode option. mode can be sys, krb5, krb5i, krb5p, or none. These
security modes can also be added to the automount maps. mount_nfs(8)
allows you to specify a single security mode; share_nfs(8) allows you
to specify multiple modes (or none). With multiple modes, an NFS client
can choose any of the modes in the list.
The sec=mode option on the share_nfs(8) command line establishes the
security mode of NFS servers. If the NFS connection uses the NFS Ver‐
sion 3 protocol, the NFS clients must query the server for the appro‐
priate mode to use. If the NFS connection uses the NFS Version 2 proto‐
col, then the NFS client uses the default security mode, which is cur‐
rently sys. NFS clients may force the use of a specific security mode
by specifying the sec=mode option on the command line. However, if the
file system on the server is not shared with that security mode, the
client may be denied access.
If the NFS client wants to authenticate the NFS server using a particu‐
lar (stronger) security mode, the client wants to specify the security
mode to be used, even if the connection uses the NFS Version 3 proto‐
col. This guarantees that an attacker masquerading as the server does
not compromise the client.
The NFS security modes are described below. Of these, the krb5, krb5i,
krb5p modes use the Kerberos V5 protocol for authenticating and pro‐
tecting the shared filesystems. Before these can be used, the system
must be configured to be part of a Kerberos realm.
sys Use AUTH_SYS authentication. The user's UNIX
user-id and group-ids are passed in the clear
on the network, unauthenticated by the NFS
server. This is the simplest security method
and requires no additional administration. It
is the default used by Solaris NFS Version 2
clients and Solaris NFS servers.
krb5 Use Kerberos V5 protocol to authenticate
users before granting access to the shared
filesystem.
krb5i Use Kerberos V5 authentication with integrity
checking (checksums) to verify that the data
has not been tampered with.
krb5p User Kerberos V5 authentication, integrity
checksums, and privacy protection (encryp‐
tion) on the shared filesystem. This provides
the most secure filesystem sharing, as all
traffic is encrypted. It should be noted that
performance might suffer on some systems when
using krb5p, depending on the computational
intensity of the encryption algorithm and the
amount of data being transferred.
none Use null authentication (AUTH_NONE). NFS
clients using AUTH_NONE have no identity and
are mapped to the anonymous user nobody by
NFS servers. A client using a security mode
other than the one with which a Solaris NFS
server shares the file system has its secu‐
rity mode mapped to AUTH_NONE. In this case,
if the file system is shared with sec=none,
users from the client are mapped to the
anonymous user. The NFS security mode none is
supported by share_nfs(8).
sec=mode[:mode]... Sharing uses one or more of the specified
security modes. The mode in the sec=mode
option must be a node name supported on the
client. If the sec= option is not specified,
the default security mode used is AUTH_SYS.
Multiple sec= options can be specified on the
command line, although each mode can appear
only once.
Each sec= option specifies modes that apply
to any subsequent root= options that are pro‐
vided before another sec=option. Each addi‐
tional sec= resets the security mode context,
so that more rw, ro, rw=, ro= and root=
options can be supplied for additional modes.
The NFSv4 server constructs a shared file system name space which is
identical to the real file system name space on the server, including
directories which are not actually shared, if they lead to shared
directories. The constructed parts of the name space are known as the
pseudo-fs. The pseudo-fs is always read-only.
As with NFSv3, the security mode of the shared directory is controlled
using the sec=mode option of share_nfs(8). However, the security mode
of pseudo-fs objects is the union of the various security modes of the
shared directories below.
When an NFSv4 client performs a mount, the client traverses the
server's name space, from the root, down to the directory being
mounted. Using the features of the NFSv4 protocol, the client may nego‐
tiate the security flavor of the directories as it proceeds down. If no
sec=mode option is given to mount_nfs or an automounter map entry, then
the client will do full negotiation for each directory down to the
mount point, changing security flavors as needed. If sec=mode option is
given, the client is constrained to use the requested security mode for
all operations.
EXAMPLES
Example 1 Sharing /var with Kerberos Authentication and Integrity Pro‐
tection
The following example shares /var with Kerberos authentication and
integrity protection:
share -F nfs -o sec=krb5i /var
Example 2 Sharing /var with Kerberos Authentication and Privacy Protec‐
tion
The following example shares/var with Kerberos authentication and pri‐
vacy protection:
share -F nfs -o sec=krb5p /var
Example 3 Sharing /var with Kerberos Authentication and Optionally
Falling Back to AUTH_SYS Authentication
The following example shares /var with Kerberos authentication and
optionally falls back to AUTH_SYS authentication:
share -F nfs -o sec=krb5:sys /var
Example 4 Sharing /var with Kerberos Authentication Allowing read/write
Operations for Kerberos Authenticated Users and Optionally Falling Back
to AUTH_SYS Authentication Allowing only Read Operations
The following example shares /var with Kerberos authentication allowing
read/write operations for Kerberos authenticated users and optionally
falls back to AUTH_SYS authentication allowing only read operations:
share -F nfs -o sec=krb5,rw,sec=sys,ro /var
FILES
/etc/nfssec.conf NFS security service configuration file
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
tab() box; cw(2.75i) cw(2.75i) lw(2.75i) lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE Availabilitysystem/file-system/nfs
SEE ALSO
rpc_clnt_auth(3C), secure_rpc(3C), nfssec.conf(5), attributes(7), auto‐
mount(8), kclient(8), mount_nfs(8), share_nfs(8)
RFC 2695: Authentication Mechanisms for ONC RPC
NOTES
/etc/nfssec.conf lists the NFS security services. Do not edit this
file. It is not intended to be user-configurable. See kclient(8).
Oracle Solaris 11.4 04 May 2016 nfssec(7)